#!/bin/sh
# prefix command to run stuff from our programs directory
# Copyright (C) 1998-2002  Henry Spencer.
# Copyright (C) 2013       Tuomo Soini <tis@foobar.fi>
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#

test $IPSEC_INIT_SCRIPT_DEBUG && set -v -x

# where the private directory and the config files are
IPSEC_CONF="${FINALCONFFILE:-@FINALCONFFILE@}"
IPSEC_EXECDIR="${IPSEC_EXECDIR:-@IPSEC_EXECDIR@}"
IPSEC_LIBDIR="${IPSEC_LIBDIR:-@IPSEC_LIBDIR@}"
IPSEC_SBINDIR="${IPSEC_SBINDIR:-@IPSEC_SBINDIR@}"

IPSEC_DIR="$IPSEC_LIBDIR"
export IPSEC_DIR IPSEC_LIBDIR IPSEC_EXECDIR IPSEC_CONF

# standardize PATH, and export it for everything else's benefit
PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
export PATH

# things not to be listed in --help command list
DONTMENTION='^(ipsec|_.*|.*\.old|.*~)$'

# version numbering (details filled in by build)
# Possibly should call a C program to invoke the version_code() function
# instead, but for performance's sake, we inline it here (and only here).
version="@IPSECVERSION@"

# export the version information
IPSEC_VERSION="$version"
export IPSEC_VERSION

# function for the funky user/kernel version stuff
fixversion() {
    if [ -f /proc/net/ipsec_version ]; then
	stack=" (klips)"
	kv="$(awk '{print $NF}' /proc/net/ipsec_version)"
    else
        if [ -f /proc/net/pfkey ]; then
	    stack=" (netkey)"
            kv=$version
        else
	    if [ -f /mach_kernel ]; then
		stack=" (OSX)"
                kv="$(uname -r)"
	    else
                kv="(no kernel code presently loaded)"
	    fi
        fi
    fi
    if [ "$kv" != "$version" ]; then
	version="U$version/K$kv"
    fi
    version="$version$stack on $(uname -r)"
}

if [ $(id -u) -ne 0 ]; then
    echo "permission denied (must be superuser)"
    exit 4
fi

case "$1" in
    '')
	echo "Usage: ipsec <command> <argument ...>"
	echo "Use --help for a list of commands, or see the ipsec(8) manual page"
	echo "Most commands have their own manual pages, e.g. ipsec_auto(8)."
	echo "See <http://www.libreswan.org> for more general info."
	fixversion
	echo "Linux Libreswan $version"
	exit 0
	;;
    status|--status)
	exec ipsec auto --status
	;;
    start|--start)
	exec ipsec setup start
	;;
    stop|--stop)
	exec ipsec setup stop
	;;
    restart|--restart)
	# restart does not work when stoped in systemd - it's dumb
	ipsec setup stop 
	exec ipsec setup start
	;;
    help|--help)
	echo "Usage: ipsec <command> <argument ...>"
	echo "where <command> is one of:"
	echo ""
	if [ -x /bin/printf -o -x /usr/bin/printf ]; then
	    DOCOLS="1"
	else
	    DOCOLS=""
	fi
	for f in $(ls $IPSEC_LIBDIR $IPSEC_EXECDIR | egrep -v -i "$DONTMENTION"); do
	    if [ -x $IPSEC_LIBDIR/$f || test -x $IPSEC_EXECDIR/$f ]; then
		if [ -z "$DOCOLS" ]; then
		    # we can only produce a simply list, which scrolls beyond 24 lines
		    echo "	$f"
		elif [ -z "$GOTTWO" ]; then
		    # first of two entries
		    GOTTWO=$f
		else
		    # second of two entries, we can print
		    printf "   %-10s   %15s\n" $GOTTWO $f
		    GOTTWO=""
		fi
	    fi
	done
	echo
	echo "See also: ipsec <command> --help"
	echo "Most commands have their own manual pages, e.g. ipsec_auto(8)."
	echo "ipsec stop|start|restart is an alias for ipsec setup stop|start|restart"
	echo "See <http://www.libreswan.org> for more general info."
	fixversion
	echo "Linux Libreswan $version"
	exit 0
	;;
    # some ubuntu/debian scripts use --versioncode, so let's keep the alias
    version|--version|--versioncode)
	fixversion
	echo "Linux Libreswan $version"
	exit 0
	;;
    --directory)
	echo "$IPSEC_DIR"
	exit 0
	;;
    import|--import)
	if [ -z "$2" ]; then
	    echo >&2 "usage: ipsec import /path/to/pkcs.12"
	    exit 1
	else
	    if [ ! -f $2 ]
	    then
		echo >&2 "usage: ipsec import /path/to/pkcs.12"
		exit 1
	    fi
	fi
	# this hardcoded ipsec.d needs to get fixed once we pass IPSECD properly
	pk12util -i $2 -d @FINALCONFDDIR@
	if [ -x /usr/sbin/restorecon ]; then
	    restorecon @FINALCONFDDIR@ -Rv
	fi
	exit 0
	;;
    initnss|--initnss)
	if [ -f "@FINALCONFDDIR@/cert8.db" -o -f "@FINALCONFDDIR@/key3.db" -o -f "@FINALCONFDDIR@/secmod.db" ]; then
	    echo "NSS database already initialised - aborted"
	    echo "To wipe the old NSS database, issue: rm @FINALCONFDDIR@/*.db"
	    exit 42
	fi

	echo "Initializing NSS database"
	echo "If you want to ensure the IPsec subsystem can start unattended,"
	echo "   use an empty password"
	echo ""

	certutil -N -d @FINALCONFDDIR@
	if [ -x /usr/sbin/restorecon ]; then
	    restorecon @FINALCONFDDIR@ -Rv
	fi
	exit 0
	;;
    --*)
	echo "$0: unknown option \"$1\" (perhaps command name was omitted?)" >&2
	exit 1
	;;
esac

cmd="$1"
shift

path="$IPSEC_EXECDIR/$cmd"

if [ ! -x "$path" ]; then
    path="$IPSEC_LIBDIR/$cmd"
    if [ ! -x "$path" ]; then
	echo "$0: unknown IPsec command \"$cmd\" (\"ipsec --help\" for list)" >&2
	exit 1
    fi
fi

exec $path "$@"
